SEC Enforcement Focused on Recordkeeping Violations Involving Communications on Personal Devices

[33965]

December 17, 2021

TO: ICI Members
Chief Compliance Officer Committee
Technology Committee SUBJECTS: Compliance
Litigation & Enforcement RE: SEC Enforcement Focused on Recordkeeping Violations Involving Communications on Personal Devices

 

The SEC's Division of Enforcement today announced the settlement of an action with J.P. Morgan Securities, LLC, a broker-dealer.[1] According to the SEC's press release announcing the action, it  involved "widespread and longstanding failures by the firm and its employees to maintain and preserve written communications."[2] While this action, the violations the firm admitted to (which involve personal devices), and the sanctions imposed are summarized below, the Press Release contains the following statement from SEC Chair Gensler about the importance of recordkeeping in light of current technologies:

Since the 1930s, recordkeeping and books-and-records obligations have been an essential part of market integrity and a foundational component of the SEC's ability to be an effective cop on the beat. As technology changes, it's even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight.  [Emphasis added.]

The Press Release also notes that other firms may not be complying with the recordkeeping requirements: "[T]he SEC has commenced additional investigations of record preservation practices at financial firms."[3] It encourages "[f]irms that believe that their record preservation practices do not comply with the securities laws to contact the SEC" through an email address dedicated to broker-dealers reporting recordkeeping violations.[4]

The Respondent's Unlawful Conduct

According to the Order, these proceedings involving the failure of the Respondent's employees throughout the firm, "including those at senior level," to adhere to certain recordkeeping requirements imposed on broker-dealers. In particular, "these employees communicated both internally and externally via personal text messages, WhatsApp messages, and emails on their personal devices." While such communications related to the securities business of the Respondent, none of them were retained and some were not able to be furnished promptly to Commission staff upon request. In addition to violating recordkeeping requirements, the firm's "widespread failure to implement its policies and procedures which [sic] forbid such communications led to its failure to reasonably supervise its employees . . .."  These recordkeeping and supervisory violations, which occurred from at least January 2012 through at least November 2020, were "firm-wide, and involved employees at all levels of authority."[5]

The Order continues:

. . . this widespread practice was not hidden within the firm. To the contrary, supervisors - i.e., the very people responsible for supervising employees to prevent this misconduct - routinely communicated using their personal devices. In fact, dozens of managing directors across the firm and senior supervisors responsible for implementing [the firm's] policies and procedures, and for overseeing employees' compliance with those policies and procedures, themselves failed to comply with the firm policies by communicating using non-firm approved methods on their personal devices about the firm's securities business.

During the time it failed to maintain these records, the firm had received and responded to "subpoenas for documents and recorded requests in numerous Commission investigations." In responding to these subpoenas, the firm "frequently did not search for records contained on the personal devices" of its employees relevant to the Commission's inquiries. As a result, the firm's failures "impacted the Commission's ability to carry out its regulatory functions and investigate potential violations of the federal securities laws  . . .; the Commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently." The Order notes that, after Commission staff alerted the firm to its failure to produce text messages in an ongoing matter, the firm "identified other recordkeeping failures that it subsequently reported to the [SEC] staff." It also engaged in a review of certain recordkeeping failures and began a program of remediation.

In terms of the firm's recordkeeping policies and procedures, the Order states that firm employees "were advised that the use of unapproved electronic communications methods, including on their personal devices, was not permitted and they should not use personal email, chats or text applications for business purposes, or forward work-related communications to their personal devices." Also, "WhatsApp" was identified by name as a prohibited communications method for business communications. The firm's supervisory policies required supervisors to ensure that employees completed training on the firm's communications policies and adhered to the firm's books and recordkeeping requirements. The supervisory policies delegated the responsibility for screening and reviewing electronic communications to the e-surveillance group in the compliance department. All employees, including supervisors, were required to self-attest to their compliance with the policy. The firm, however, "failed to implement a system of follow-up and review to determine that supervisors' responsibility to supervise was being reasonably exercised so that the supervisors could prevent and detect employees' violations of the books and records requirements. . . .  Even after the firm became aware of the significant violations, the widespread recordkeeping failures and lapses continued with a significant number of [firm] employees failing to follow basic recordkeeping requirements."

As regards details of the violations the firm admitted to, the Order notes that:

• With respect to WhatsApp, an executive director and co-supervisor of the high grade credit trading desk launched a WhatsApp group chat entitled "Portfolio Trading/auto ex" in April 2012. He invited nineteen members of the trading desk to join the chat. During 2019, "at least 1,100 messages were sent among the chat group." Nearly all of these concerned the firm's securities business, including investment strategies, discussions of client meetings, and communications about market color, analysis, activity trends, or events.  
• From 2019-2020, an executive director of the firm texted with more than one hundred firm employees, customers, clients, third-party advisers, and market participants.
• From January 2018 to November 2019, in connection with work performed on behalf of an investment banking clients, the firm's employees, including desk heads, managing directors, and other senior executives sent and received more than 21,000 texts related to the firm's securities business using unapproved communications methods on their personal devices. None of these messages, which occurred between and among senior-level firm executives and employees, customers, clients, third-party advisers, and other market participants, were preserved. 

Although the firm failed to produce upon request of the SEC business communications that were sent or received using unapproved communications devices, the SEC staff learned of such communications from third parties that had received these text messages. Apparently, approximately one year after the firm received the SEC's subpoena, and three months after the SEC staff alerted the firm to the missing communications, the firm began to produce the text messages that were responsive to the original subpoena. Some communications, however, had already been deleted and were not recoverable. According to the Order, "the Commission expended significant additional resources to investigate [the firm's] production failures," which delayed the SEC's investigation.

The Respondent's Admissions[6]

According to the Order, in the Offer of Settlement the firm submitted to the SEC to resolve this matter, the firm admitted the facts set forth in the Order and acknowledged that its conduct violated the federal securities laws.

In particular, the firm admitted that it willfully violated the recordkeeping requirements of Section 17(a) of the Securities Exchange Act of 1934 and Rules 17a-4(b)(4) and 17a-4(j) thereunder, which require broker-dealers to maintain, for at least three years, originals of all communications received and sent relating to the business of a broker-dealer and to furnish such records to the SEC staff upon request. The firm also admitted that it failed to reasonably supervise its employees with a view towards preventing or detecting certain of its employees' aiding and abetting violation of the federal securities laws contrary to Section 15(b)(4)(E) of the Exchange Act, which imposes upon registrants a duty to reasonably supervise. 

The Sanctions Imposed on the Respondent

Based on the Respondent's violations, it was censured, ordered to cease and desist from further violations, ordered to pay a civil monetary penalty of $125 million within 14 days and agree to the following Undertakings:

Retaining a Compliance Consultant

The Undertakings require the firm to retain a Compliance Consultant to address the issues described in the Order. Among other things, the Compliance Consultant must:

• Conduct a comprehensive review of the firm's supervisory, compliance, and other policies designed to ensure all e-communications, including those on personal devices, are preserved as required by law;
• Conduct a comprehensive review of the firm's training related to preservation of e-communications, including those on personal devices;
• Ensure that firm employees are required to certify at least quarterly that they are complying with preservation requirements;
• Assess the firm's surveillance program to ensure compliance with requirements related to preserving e-communications, including those on personal devices;
• Assess the technological solutions the firm has begun to implement to meet it recordkeeping requirements under the law, including assessing "the likelihood the firm's personnel will use these solutions and the firm's ability to track such usage;"
• Assess the measures used by the firm to prevent the use of unauthorized communications methods for business communications by employees;
• Review the firm's e-communication surveillance routines to ensure that e-communications through approved communications methods found on personal devices are incorporated into the firm's overall communications surveillance program; and
• Conduct a comprehensive review of the framework adopted by the firm to address instances of employees' non-compliance with the firm's policies and procedures regarding the use of personal devices to communicate about the firm's business. Such review must include how the firm determined which employees failed to comply with its policies and procedures, the corrective action carried out, an evaluation of who violated the policies and why, what penalties were imposed, and whether such penalties were handed out consistently across business lines and seniority levels.

Within 45 days after completing of the Consultant's review, the Consultant must submit a detailed report of its findings to the firm and the SEC. With limited exceptions, the firm must adopt all recommendations in the Consultant's report within 90 days. One year following submission of the Consultant's report, the firm must require the Consultant to conduct a follow-up review regarding the firm's implementation of the Consultant's recommendation. 

Report to the SEC on Disciplinary Actions Taken Against Employees

In addition to the above, for two years following the Order, the firm must notify SEC staff upon the imposition of any discipline it imposes on an employee for violating the firm's policies and procedures relating to the preservation of e-communications. For purposes of this requirement, "discipline" includes, but is not limited to, written warnings, loss of any pay, bonus, or incentive compensation, or the termination of employment. 

Internal Audit Report to the Parent Company's Board

The Undertakings also require the firm's Internal Audit function to conduct an audit to assess the firm's progress in the areas to be reviewed by the Compliance Consultant. Upon completion of the internal audit, the firm is required to ensure that Internal Audit submits a report of its findings to the Audit Committee of the Board of Directors of the firm's parent organization and to the SEC staff.

Future Cooperation with the SEC staff

Finally, the firm is required to cooperate fully with the SEC in any and all investigations, litigations, or other proceedings relating to or arising from the matters discussed in the Order. As part of its cooperation, the firm agrees to "produce, without service of a notice or subpoena, any and all documents and other materials and information concerning the use and preservation of electronic communications as requested by the SEC," provided the information is not privileged. It must also "use its best efforts to cause its current and former employees, officers, and directors to be interviewed by, or to appear and provide testimony to, the Commission staff at such times and places as the staff requests upon reasonable notice."

 

Tamara K. Salmon
Associate General Counsel

 

endnotes

[1]  See In the Matter of J.P. Morgan Securities, LLC, SEC Administrative Proceeding File No. 3-20681 (December 17, 2021) (the "Order"), which is available at https://www.sec.gov/litigation/admin/2021/34-93807.pdf?utm_medium=email&utm_source=govdelivery. 

[2]  See JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, SEC Press Release No. 2021-262 (December 17, 2021)(the "Press Release"), which is available at https://www.sec.gov/news/press-release/2021-262?utm_medium=email&utm_source=govdelivery.

[3]  It should be noted that the recordkeeping requirements imposed on broker-dealers under Federal law are more extensive than those imposed on mutual funds or fund advisers. While mutual funds and fund advisers are required to preserve only those records listed in the rules the SEC has adopted under Section 31 of the Investment Company Act of 1940 and Section 204 of the Investment Advisers Act of 1940, respectively, the rules under the Securities Exchange Act of 1934 require broker-dealers to maintain and preserve all records relating to the business of the broker-dealer. 

[4]  The Press Release includes this quote from Gurbir S. Grewal, the Director of the Enforcement Division: "We encourage registrants to not only scrutinize their document preservation processes and self-report failures such as those outlined in today's action before we identify them, but to also consider the types of policies and procedures [the Respondent] implemented to redress its failures in this case."

[5]  No individuals were named as respondents in the Order.

[6] When he became Director of the SEC's Division of Enforcement, Gurbir S. Grewal announced his intent to require Respondents in actions brought by the Commission to admit violations of law documented in administrative proceedings. Prior to his tenure, the SEC's orders typically noted that, while a Respondent neither admitted or denied the violations discussed in a proceeding, the SEC found the violations to have occurred.